1. Field of the Invention
The present invention relates to: a digital certificate management system that manages by a digital certificate management apparatus digital certificates used for authentication processes between one or more clients and one or more servers forming a client server system; a digital certification management apparatus forming such a system; a digital certificate management method of managing digital certificates; an update procedure determination method in a case where an authentication key for verifying a digital certification is updated when managing the digital certificate; and a program for causing a computer to function as the above-mentioned digital certificate management apparatus.
2. Description of the Related Art
Conventionally, client server systems have been constructed in which a plurality of computers such as PCs are connected via a network such that communications can be performed among the computers, and at least one of the computers serves as a server apparatus (server) and at least another one of the computers serves as a client apparatus (client).
In such client server systems, a request is transmitted from the client apparatus to the server apparatus, and the server apparatus carries out a process in accordance with the request and returns the response to the client apparatus. Additionally, such client server systems are widely used for so-called electronic commerce where, for example, the client apparatus transmits an order request of products and the server apparatus receives the order request. Further, systems have been proposed in which various electronic apparatuses are provided with functions of a client apparatus or a server apparatus and connected via a network, and remote management of the electronic apparatuses are performed via communications with each other.
In such a case, it is important to confirm whether a communication party is appropriate or whether transmitted information is altered. Particularly, in the Internet, in many cases, information is transmitted via irrelevant computers until the information reaches the communication party. Hence, in a case where confidential information is transmitted, it is also necessary to prevent the contents of the confidential information from being furtively looked at. A protocol called SSL (Secure Socket Layer), for example, has been developed and widely used as a communication protocol that meets such a demand. By performing communications with the use of the protocol (SSL), it is possible to perform authentication of communication parties by combining the public-key cryptography and the common key cryptography and avoid altering and tapping of information by encrypting the information.
Here, a description is given of a communication procedure in a case where an authentication process is performed by using the public-key cryptography and a digital certificate used in such a case.
First, a description is given of a case where a client apparatus authenticates a server apparatus. In this case, in order to perform an authentication process, a server private key and a server public key certificate (server certificate) are stored in the server apparatus, and a root key certificate for server authentication (server authentication root key certificate) is stored in the client apparatus. The server private key is a private key issued by a certificate authority (CA) with respect to the server apparatus. The server public key certificate is a digital certificate obtained by attaching a digital signature by the CA to a public key corresponding to the server private key. The server authentication root key certificate is a digital certificate obtained by attaching a digital signature by the CA to a server authentication root key, which is a public key for certification (hereinafter also referred to as “certification key”) corresponding to a server CA key (root private key for server authentication) that is a private key for certification used for a digital signature with respect to the server public key.
FIGS. 1A and 1B show the above-mentioned relationships.
As shown in FIG. 1A, the server public key is constructed by: a key per se for decrypting a document that is encrypted by using the server private key; and bibliographic information including, for example, a publisher (CA) of the server public key, a party to which the server public key is issued (server apparatus), and the expiration date. In order to indicate that the key per se and the bibliographic information are not altered, the CA encrypts with the use of the server CA key a hash value obtained by performing a hash process on the server public key, and attaches the encrypted hash value to the server public key as a digital signature. Additionally, on this occasion, the CA adds to the bibliographic information of the server public key the identification information of the server CA key, which is used for the digital signature, as signature key information. A public key certificate to which the digital signature is attached is the server public key certificate.
In a case where the server public key certificate is used for an authentication process, the digital signature included therein is decrypted by using the root key for server authentication (server authentication root key), which is a public key corresponding to the server CA key. When the decryption is normally performed, it is determined that the digital signature is surely attached by the CA. Also, when the hash value obtained by performing a hash process on the server public key matches the hash value obtained by the decryption, it is determined that the key per se is not damaged and/or altered. Further, when received data can be normally decrypted by using the server public key, it is determined that the received data are transmitted from the owner of the server public key, i.e., the server apparatus. Then, referring to the bibliographic information, whether to authenticate is determined based on, for example, the reliability of the CA and/or whether the server apparatus is registered.
In order to perform authentication, it is necessary to store in advance the server authentication root key. As shown in FIG. 1B, the server authentication root key is also stored as a server authentication root key certificate obtained by attaching a digital signature by the CA to the server authentication root key. Such a server authentication root key certificate employs a self-signature system in which a digital signature can be decrypted by means of a public key included therein. When using the server authentication root key, the digital signature is decrypted by using the public key included in the server authentication root key certificate, and is compared with a hash value obtained by performing a hash process on the server authentication root key. When the decrypted digital signature matches the hash value, it is possible to confirm that the server authentication root key is not damaged, for example.
When the client apparatus requests the server apparatus for communications in the client/server system constructed by the client apparatus and the server apparatus as mentioned above, each of the client apparatus and the server apparatus performs processes as follows.
First, the server apparatus generates a random number in response to a communication request from the client apparatus, encrypts the random number with the server private key, and transmits the encrypted random number and the server public key certificate to the client apparatus.
Upon reception of the encrypted random number and the server public key certificate, the client apparatus verifies the received server public key certificate by using the root key certificate. This verification includes a process of confirming that the server apparatus is an appropriate communication party by referring to the bibliographic information as well as the process of confirming that the server public key is not damaged and/or altered as mentioned above.
When verified, the received random number is decrypted by using the server public key included in the received server public key certificate. When the decryption succeeds, it is possible to confirm that the first random number is surely received form the server apparatus to which the server public key certificate is issued. Accordingly, with the above-mentioned processes, it is possible to verify the server apparatus as an appropriate communication party.
In addition, by exchanging a key of a common key encryption by encrypting with the use of the above-mentioned public key and the private key, it is possible to safely exchange a common key and establish a safe communication channel in which the contents of communications are encrypted by the common key encryption.
In contradiction to the above-mentioned case, it is also conceivable that the server apparatus authenticates the client apparatus.
In this case, in order to perform an authentication process, a client private key and a client public key certificate (client certificate) are stored in the client apparatus, and a root key certificate for client authentication (client authentication root key certificate) is stored in the server apparatus. The client private key is a private key issued by the CA with respect to the client apparatus. The client public key certificate is a digital certificate obtained by attaching a digital signature by the CA to a public key corresponding to the client private key. The client authentication root key certificate is a digital certificate obtained by attaching a digital signature by the CA to a client authentication root key, which is a certification key corresponding to a CA key for client authentication (client authentication CA key) that is a private key for certification used for a digital signature with respect to the client public key.
Even in a case where the server apparatus authenticates the client apparatus, only the positions of the server apparatus and the client apparatus are reversed from the case where the client apparatus authenticates the server apparatus. Thus, the functions and structure of each key and certificate are similar to those mentioned above. By using the above-mentioned keys and certificates, it is possible to perform authentication similar to that in the above-mentioned case in a procedure of: encrypt a random number with the private key→transmit the encrypted random number together with the public key certificate→verify, by a receiving apparatus, the public key certificate by using the root key certificate→decrypt the random number by using the public key included in the public key certificate.
Further, by combining the above-mentioned two-way authentication processes, it is possible to perform mutual authentication in which the server apparatus and the client apparatus authenticates each other.
It should be noted that it is not always necessary that the server CA key and the client authentication CA key are different, and the server authentication root key certificate and the client authentication root key certificate are different. Additionally, when generically referring to a key for server authentication and that for client authentication, such a key is simply referred to as, for example, “the CA key”, “the root key”, and “the root key certificate”.
In the public-key cryptography, though it depends on the key length, a private key may be obtained from a public key if time is taken. Once the private key is known, it is possible for a third party to pose as the owner of the private key. Thus, the reliability of authentication and security of communications are not maintained. Therefore, more and more users are adopting a security policy that sets expiration dates for keys and the set of the keys are updated at predetermined intervals. Hence, when providing, for example, the above-mentioned remote management system using mutual authentication, it is becoming necessary to guarantee to customers that the system is capable of updating the keys. The same applies to root keys and CA keys. In addition to the coming of a predetermined expiration date, reasons for updating the keys may be, for example, a case where disclosure of a private key to a third party is proved.
A technique related to updating of keys is disclosed in Japanese Laid-Open Patent Application No. 11-122238, for example.
However, in Japanese Laid-Open Patent Application No. 11-122238, though there is a description relating to updating of a key issued for each apparatus, there is no description of updating of a root key.
In the case of the public-key cryptography, in order to update a pair of keys issued to each apparatus, a new public key certificate corresponding to a new private key is stored in the apparatus. By giving the new public key certificate to a communication party, it is possible to perform the authentication process shown in FIG. 5.
However, when updating a root key, it is impossible to decrypt, by a new root key, a digital signature attached to a previous digital certificate. Hence, a problem may occur when carrying out the authentication process shown in FIG. 5 unless a public key certificate for each apparatus is created again by using a new CA key corresponding to a new root key and the created public key certificate is distributed (however, it is not always necessary to update the private key of each apparatus).
Additionally, since a method has not been known for updating a root key without causing a problem for the authentication process, it has been impossible to safely transmit the root key via a network to an apparatus that needs updating of the root key. For this reason, it has been necessary to deliver a root key certificate and/or a new public key certificate to each apparatus via another safe route.
An example of such a route is registered mail. It is conceivable to send to an administrator of an apparatus a recording medium such as a memory card or a flexible disk recording data of a certificate and update a key of the apparatus by the administrator. However, this method is applicable only when there is an administrator with sufficient knowledge about each of a client apparatus and a server apparatus. Additionally, the CA has to trust the administrator of an apparatus with respect to processes after the recording medium is delivered. Thus, there has been a problem in that the authentication process cannot be performed in a case where the administrator fails to perform or erroneously performs updating processes.
On the other hand, the administrator has to determine whether the received certificate is valid or not by trusting, for example, the name of a sender on an envelope or data. Thus, there is always a risk that a false certificate, which is received from a person under a false name of the CA, is stored in an apparatus.
In addition, it is conceivable to update a key by sending a service person from the CA or a provider of service of a client server system to a location where each apparatus is installed. However, in order to adopt such a system in a wide area, a lot of service centers are required, which results in an increase in costs. Also, there are problems such as education of service persons, prevention of fraud by service persons, and management of administrator's IDs for updating operations. For example, when a simple method of manually inputting authentication information is to be adopted, in order to cancel the updating authority of a retired service person, it is necessary to change the authentication information stored in each apparatus. However, it is difficult to perform such a changing operation on a large number of apparatuses installed in a customer place.
After all, there is no choice but to trust human beings for ensuring a safe delivering route of a certificate without using a network, which leaves room for fraud. Additionally, though it is possible to perform management to make the room for fraud small, enormous costs are required for such management. Thus, it has been impractical to build a route that eliminates consideration of the risk of fraud for delivering certificates.
In addition, as for a special communication channel for updating, it is conceivable to prepare a communication channel using a digital certificate for updating process and a root key certificate for updating process, which are different from the digital certificate and the root key certificate used in normal communications. However, in a case where the client apparatus authenticates the server apparatus, such a method has a problem.
That is, in this case, the server apparatus transmits the digital certificate to the client apparatus when there is a connection request from the client apparatus. However, in a case where the server apparatus may receive connection requests from unspecified number of client apparatuses at arbitrary timings, it is difficult for the server apparatus to appropriately determine what digital certificates (that is, whether the digital certificate for normal communications or the digital certificate for updating process) are to be transmitted to the client apparatuses.
It is conceivable that the server apparatus determines what digital certificates are to be transmitted to the client apparatuses by using a session identifier at the time of the communication request, such as a source end-point identifier, a destination end-point identifier, and a URL (Uniform Resource Locator). However, in order to perform such determination, it is necessary to provide in the client apparatuses a function of switching the session identifier (e.g., URL) depending on whether communications are normal communications or communications for updating, and provide in the server apparatus a function of managing a corresponding relationship between the source end-point identifier and a digital certificate to be transmitted. Providing such functions results in an increase in costs.
Accordingly, there has been a demand to avoid providing in the server apparatus a function of selecting a digital certificate to be transmitted to the client apparatus based on information (e.g., the session identifier) before starting communications. In addition, there is a problem in that, if two kinds of communication channels are provided by using the same protocol, in a case where authentication fails, it is difficult to determine whether the failure is caused by an abnormality in the digital certificate or an error in the session identifier.
As mentioned above, providing a special communication channel for root key updating results an increase in costs and loads for management. Thus, there has been a demand to safely update the root key without providing such a special communication channel.